1. Description
    

     Due to the popularity of Twitter, and its limit in word count of each posted
message, it had become the hotbed of the malicious shortened URL.
And now, Lionic NSS group further discovered that in order to avoid the
tracking, the shortened URL uses two layers redirection.

2. Case Study

     Lionic NSS today discovered two shortened URLs spreading in Twitter now,
both link to the same malware instance.
As Figure 1, it uses the "bit.ly" shortened URL and links to another "rurl.org"
shortened URL. And finally connects to malware executable which masquerades as a
picture file. User without vigilance might run it and be suffered.
And as Figure 2, it uses the "tinyurl.com" shortened URL and links to another
"rurl.org" shortened URL. It directs to the same malware instance mentioned above.
This malware instance is detected by VirusTotal with detection rate 16/42
(38.1%)
(http://www.virustotal.com/analisis/54afc4982cb704998d9090344452f10fc5e5f0fb03
9713a5ebd516a79c8a21c6-1280195817)

3. Recommendation


a. Don't click the shortened URL without check.
b. Lionic WebGuard malicious URL database can prevent these malicious URL.

 

by AegisLab.